IMSI catchers (fake mobile towers) just £150K a pop; the Met forked out for six of 'em.

Share this story

Several police forces in England have bought equipment to create fake mobile phone masts—known as IMSI catchers or stingrays—that can be used to eavesdrop on telephone conversations without users being aware.

Documents obtained by the Bristol Cable, a media cooperative, reveal that—in addition to the Metropolitan Police, which is already suspected of using the covert listening gear—police forces in Avon and Somerset, Staffordshire, Warwickshire, West Mercia, West Midlands, and South Yorkshire have all acquired the devices.

IMSI catchers or stingrays (after a US company that makes such devices) work by sending out a signal that tricks a mobile phone into connecting with the equipment, rather than a legitimate base station. This allows information to be gathered about the device and its conversations by carrying out a man-in-the-middle attack.

Further Reading

The documents, obtained using freedom of information requests found by searching through publicly-available police expenditure data, provide important new details about IMSI catchers. For example, an acronym used by several police forces—CCDC—is revealed by unredacted minutes of a meeting held in May 2016 between West Mercia and Warwickshire police to stand for "Covert Communications Data Capture." Another document, this time from South Yorkshire cops, allowed the Cable to deduce that the CCDC was an IMSI catcher, something later confirmed by the police force concerned.

The documents also reveal how much IMSI catchers cost. South Yorkshire paid £144,000, while a document from Avon and Somerset showed that £169,575 had been spent on "CCDC equipment." Scotland Yard paid out no less than £1,037,223 in the final three months of last year—which suggests it bought around half-a-dozen IMSI catchers during its third quarter. Ars has asked the Met to confirm this number, but hadn't received a reply at time of publication.

Cellxion—the company supplying the IMSI catchers—is name-checked several times in the documents. However, on its website there is no mention of the device, only details of a "Quad Modem Telemetry System VPN Platform." Curiously, at the foot of the single Web page on the site, there is the following warning: "Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from Cellxion ltd."

Further Reading

Information about the firm beyond Companies House is thin. Cellxion's turnover was £11.57 million last year, down from £13.41 million in 2014. Ars has sought further comment from Cellxion on its IMSI sales. It sells most of its goods—the balance sheet shows—to the rest of Europe and had 11 employees on its books at the end of October 2015. Cellxion is scheduled to appear at the home office's security and policing event next year.

The latest details obtained by the Cable confirm earlier suspicions that IMSI catchers are available in the UK, and thus presumably widely used, given their considerable cost.

Here's some interesting stuff on Cellxion... IP decision for example sheds a tiny amount of light on them. Sadly I can not find the referenced documents in this decision. Possibly because they were never forth coming.

Here's some interesting stuff on Cellxion... IP decision for example sheds a tiny amount of light on them. Sadly I can not find the referenced documents in this decision. Possibly because they were never forth coming.

It would be interesting to know where these devices stand legally in the UK, as they're presumably equivalent to wire-tapping indiscriminately over a wide area. Are safeguards in place to prevent any access to calls other than those you're supposed to be intercepting? Are warrants required, and if so on what type of grounds?

The terms and conditions at the bottom of the suppliers website are some of the most terrifying things I've ever read, does it not imply that without prior authorisation to visit it they will attempt to prosecute you if they can?

"United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd."

The terms and conditions at the bottom of the suppliers website are some of the most terrifying things I've ever read, does it not imply that without prior authorisation to visit it they will attempt to prosecute you if they can?

"United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd."

The terms and conditions at the bottom of the suppliers website are some of the most terrifying things I've ever read, does it not imply that without prior authorisation to visit it they will attempt to prosecute you if they can?

"United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd."

In addition to what matthew.kuiash said I think they may also be in breach of UK legislation by not displaying a company registration number or (physical) contact address...

No, that's just standard boilerplate from the CMA1990. Applies to ANY website (or other network system) you visit. Making a webpage accessible without login and search-engine indexed (and providing that URL in official publications etc) is implicit authorisation to access. Visiting a homepage: OKGuessing a URL and visiting a non-indexed page: grey area. As far as I know, companies have attempted to prosecute for this, but none have succeeded.Guessing a password to access a page: doubleplusungood.

The terms and conditions at the bottom of the suppliers website are some of the most terrifying things I've ever read, does it not imply that without prior authorisation to visit it they will attempt to prosecute you if they can?

"United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd."

In addition to what matthew.kuiash said I think they may also be in breach of UK legislation by not displaying a company registration number or (physical) contact address...

No, that's just standard boilerplate from the CMA1990. Applies to ANY website (or other network system) you visit. Making a webpage accessible without login and search-engine indexed (and providing that URL in official publications etc) is implicit authorisation to access. Visiting a homepage: OKGuessing a URL and visiting a non-indexed page: grey area. As far as I know, companies have attempted to prosecute for this, but none have succeeded.Guessing a password to access a page: doubleplusungood.

Could you give me a link for CMA1990 (Specifically the boilerplate you refer to), I've never come across these T&C's before and cannot find any reference in the documents I have here? My google-fu only brings up the Cellxion web page, and a few other people laughing at it when searching for snippets of this text? Eg. try searching for "Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law" as an example (the most generic sentence in their t&c's) and see what comes up.

Your spot on in that they wouldn't have a chance in hell of getting a prosecution for accessing a google indexed page, though their wording implies strongly that they do. Slightly silly I know - but the absurdity of their policy potentially invalidates any legal assertation they make, as it is patently unenforceable or reasonable, at least in the UK. Also, they seem to have removed their websites from the face of the internets (and google cache, though the way back machine still has some snapshots) since these posts were made. They have updated their nameservers to Rook Media's domain parking service, and look like they are performing a reasonably effective digital scorched earth policy, wouldn't be surprised to see a new company registered in a few days...